def testValidateSyntaxSimple(self): artifact = rdf_artifacts.Artifact(name="Foo", doc="This is Foo.", provides=["fqdn", "domain"], supported_os=["Windows"], urls=["https://example.com"]) ar.ValidateSyntax(artifact)
def testValidateSyntaxWithSources(self): registry_key_source = { "type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY, "attributes": { "keys": [ r"%%current_control_set%%\Control\Session " r"Manager\Environment\Path" ], } } file_source = { "type": rdf_artifacts.ArtifactSource.SourceType.FILE, "attributes": { "paths": [r"%%environ_systemdrive%%\Temp"] } } artifact = rdf_artifacts.Artifact( name="Bar", doc="This is Bar.", provides=["environ_windir"], supported_os=["Windows"], urls=["https://example.com"], sources=[registry_key_source, file_source]) ar.ValidateSyntax(artifact)
def ArtifactsFromYaml(self, yaml_content): """Get a list of Artifacts from yaml.""" raw_list = list(yaml.safe_load_all(yaml_content)) # TODO(hanuszczak): I am very sceptical about that "doing the right thing" # below. What are the real use cases? # Try to do the right thing with json/yaml formatted as a list. if (isinstance(raw_list, list) and len(raw_list) == 1 and isinstance(raw_list[0], list)): raw_list = raw_list[0] # Convert json into artifact and validate. valid_artifacts = [] for artifact_dict in raw_list: # In this case we are feeding parameters directly from potentially # untrusted yaml/json to our RDFValue class. However, safe_load ensures # these are all primitive types as long as there is no other # deserialization involved, and we are passing these into protobuf # primitive types. try: artifact_value = rdf_artifacts.Artifact(**artifact_dict) valid_artifacts.append(artifact_value) except (TypeError, AttributeError, type_info.TypeValueError) as e: name = artifact_dict.get("name") raise rdf_artifacts.ArtifactDefinitionError( name, "invalid definition", cause=e) return valid_artifacts
def GenerateSample(self, number=0): result = rdf_artifacts.Artifact(name="artifact%s" % number, doc="Doco", provides="environ_windir", supported_os="Windows", urls="http://blah") return result
def testValidateSyntaxMissingDoc(self): artifact = rdf_artifacts.Artifact(name="Baz", provides=["os"], supported_os=["Linux"]) with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError, "missing doc"): ar.ValidateSyntax(artifact)
def testValidateSyntaxBrokenProvides(self): artifact = rdf_artifacts.Artifact(name="Thud", doc="This is Thud.", provides=["fqdn", "garbage"], labels=["Network"]) with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError, "'garbage'"): ar.ValidateSyntax(artifact)
def testValidateSyntaxInvalidLabel(self): artifact = rdf_artifacts.Artifact(name="Norf", doc="This is Norf.", provides=["domain"], labels=["Mail", "Browser", "Reddit"], supported_os=["Darwin"]) with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError, "'Reddit'"): ar.ValidateSyntax(artifact)
def testValidateSyntaxInvalidSupportedOs(self): artifact = rdf_artifacts.Artifact(name="Quux", doc="This is Quux.", provides=["os"], labels=["Cloud", "Logs"], supported_os=["Solaris"]) with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError, "'Solaris'"): ar.ValidateSyntax(artifact)
def testGetArtifactPathDependencies(self): sources = [{ "type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY, "attributes": { "keys": [ r"%%current_control_set%%\Control\Session " r"Manager\Environment\Path" ] } }, { "type": rdf_artifacts.ArtifactSource.SourceType.WMI, "attributes": { "query": "SELECT * FROM Win32_UserProfile " "WHERE SID='%%users.sid%%'" } }, { "type": rdf_artifacts.ArtifactSource.SourceType.GREP, "attributes": { "content_regex_list": ["^%%users.username%%:"] } }] artifact = rdf_artifacts.Artifact( name="artifact", doc="Doco", provides=["environ_windir"], supported_os=["Windows"], urls=["http://blah"], sources=sources) self.assertItemsEqual( [x["type"] for x in artifact.ToPrimitiveDict()["sources"]], ["REGISTRY_KEY", "WMI", "GREP"]) class Parser1(object): knowledgebase_dependencies = ["appdata", "sid"] class Parser2(object): knowledgebase_dependencies = ["sid", "desktop"] @classmethod def MockGetClassesByArtifact(unused_cls, _): return [Parser1, Parser2] with utils.Stubber(parser.Parser, "GetClassesByArtifact", MockGetClassesByArtifact): self.assertItemsEqual( ar.GetArtifactPathDependencies(artifact), [ "appdata", "sid", "desktop", "current_control_set", "users.sid", "users.username" ])
def testValidateSyntaxBadSource(self): source = { "type": rdf_artifacts.ArtifactSource.SourceType.ARTIFACT_GROUP, "attributes": {} } artifact = rdf_artifacts.Artifact(name="Barf", doc="This is Barf.", provides=["os"], labels=["Logs", "Memory"], sources=[source]) with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError, "required attributes"): ar.ValidateSyntax(artifact)
def testValidateSyntaxBadPathDependency(self): sources = [{ "type": rdf_artifacts.ArtifactSource.SourceType.FILE, "attributes": { "paths": [r"%%systemdrive%%\Temp"] } }] artifact = rdf_artifacts.Artifact(name="bad", doc="Doco", provides=["environ_windir"], supported_os=["Windows"], urls=["http://blah"], sources=sources) with self.assertRaises(rdf_artifacts.ArtifactDefinitionError): ar.ValidateSyntax(artifact)
def testValidateSyntax(self): sources = [{ "type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY, "attributes": { "keys": [ r"%%current_control_set%%\Control\Session " r"Manager\Environment\Path" ] } }, { "type": rdf_artifacts.ArtifactSource.SourceType.FILE, "attributes": { "paths": [r"%%environ_systemdrive%%\Temp"] } }] artifact = rdf_artifacts.Artifact(name="good", doc="Doco", provides=["environ_windir"], supported_os=["Windows"], urls=["http://blah"], sources=sources) ar.ValidateSyntax(artifact)